[bionic:linux 1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y
Andy Whitcroft
apw at canonical.com
Thu Feb 18 16:17:47 UTC 2021
In order to support the livepatch key we need to ensure we do not allow
that key to load modules which are not for the specific kernel. From
the documentation on kernel module signing:
If you use the same private key to sign modules for multiple kernel
configurations, you must ensure that the module version information is
sufficient to prevent loading a module into a different kernel. Either
set ``CONFIG_MODVERSIONS=y`` or ensure that each configuration has a
different kernel release string by changing ``EXTRAVERSION`` or
``CONFIG_LOCALVERSION``.
BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
debian.master/config/annotations | 4 +++-
debian.master/config/config.common.ubuntu | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 52fa132d2063..4f2972daee7e 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -8612,9 +8612,11 @@ CONFIG_MODULES policy<{'amd64': 'y', 'arm64': '
CONFIG_MODULE_FORCE_LOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
CONFIG_MODULE_UNLOAD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_MODULE_FORCE_UNLOAD policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_MODVERSIONS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+CONFIG_MODVERSIONS policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_MODULE_SRCVERSION_ALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_MODULE_COMPRESS policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
+#
+CONFIG_MODVERSIONS mark<ENFORCED> note<LP:1898716 -- required as we have a livepatch/drivers modules signing key>
# Menu: Enable loadable module support >> Compression algorithm
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 3ef3d8d6a2d8..f2a8b2e49b53 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -5444,7 +5444,7 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SRCVERSION_ALL=y
CONFIG_MODULE_UNLOAD=y
-# CONFIG_MODVERSIONS is not set
+CONFIG_MODVERSIONS=y
CONFIG_MONREADER=m
CONFIG_MONWRITER=m
CONFIG_MOST=m
--
2.29.2
More information about the kernel-team
mailing list